Follow by Email

Wednesday, July 2, 2014

IT-GRC

IT-GRC is essentially enterprise GRC functions (workflow, data
repository, regulatory mapping, etc) focused on IT specific needs. The
only reason we have IT-GRC is because, traditionally, the original GRC
vendors were focused on addressing SOX and other global financial
integrity regulations and were terrible at IT requirements. That gap is
closing however.
For the last two years, IT-GRC has started to bifurcate into
IT-related GRC functions and security operations functions. These market
changes have caused us to reset the use of the term IT GRC to
provide useful guidance to our clients in selecting appropriate
technologies for their requirements.

In 2013, there is little evidence that security technology data is
being used in any material or comprehensive manner to directly support
senior IT and business leadership in decision making. However, there is
an important evolution in the prioritization and remediation of
vulnerability and security configuration management data using business
context that is changing vulnerability management and other security
operations use cases. This evolution will be covered separately from IT
GRC technologies.
We experience on client and reference calls has indicated that
IT GRC needs fall roughly in two areas. The first supports oversight and
governance functions that typically bridge IT information to support IT
and business leadership for reporting and decision making. This is
present in use cases such as vendor risk management, policy management,
integrated risk reporting and risk assessment. The second supports
information security operations requirements through the centralization
of security technology data. This is present in use cases such as
vulnerability management, continuous monitoring and the management of
technology-centric compliance requirements such as Payment Card Industry
Data Security Standard (PCI DSS).
Consider a metaphor where a horizontal line is used to separate IT
from non-IT business needs (see figure below). The first area can be
described as "above the line," and the second area can be described as
"below the line"
Using patch management as an example, the operations functions that
monitor patch states, prioritize and guide remediation are all within
the first line of defense. They are considered below the line and not
within the definition of IT GRC. The governance functions that use patch
information to rate business units on patching effectiveness to guide
risk-related decision making are part of the second line of defense.
They are above the line and considered to be a part of core IT GRC
activity.
IT GRC technologies and providers for above-the-line use cases will
be published in the latest MarketScope for IT GRC. Below-the-line
requirements will be addressed, in part, as an extension of
vulnerability management. There is no hard definition for below-the-line
use cases that have been excluded from IT GRC because this is an
evolving set of solutions that include traditional IT GRC vendors and
vulnerability management vendors. Our new definition of IT-GRC
IT GRC technologies are used primarily to bridge IT-related data in
support of senior IT and non-IT decision making. This is composed of
functions for mapping controls into control objectives, survey
capabilities, workflow to support non-IT decision making, and non-IT
executive reporting.
The use cases for security operations will no longer be referenced as
IT GRC at research and will be considered an extension of vulnerability
management research for the benefit of IT operations. This is composed
of functions for the import of technical data from third-party products,
workflow to support prioritization and IT remediation activities, and
an IT asset database supporting IT decision making.
IT GRC is composed of functions to support non-IT decision making and non-IT executive reporting:

Controls and policy mapping.

Survey capabilities.

GRC asset repository.

Workflow.

IT risk evaluation and dashboards.

The functions supporting data import from third-party security tools,
such as vulnerability assessment and security configuration management,
remain a part of IT GRC. However, these functions are primarily used in
support of the below-the-line security technology use cases.
These changes seem to have everyone in a tizzy. But here’s the bottom
line: Security operations is security operations. It is not going
to call that IT GRC.